<?php
// WEVAL Auth Session — DEFINITIVE v2
// Uses external password file — immune to sed/regex corruption
header('Content-Type: application/json');
session_set_cookie_params(["lifetime"=>86400,"path"=>"/","domain"=>".weval-consulting.com","secure"=>true,"httponly"=>true,"samesite"=>"Lax"]);
session_start();

$action = $_POST['action'] ?? $_GET['action'] ?? '';

if ($action === 'login') {
    $user = trim($_POST['user'] ?? '');
    $pass = $_POST['pass'] ?? '';
    
    require_once __DIR__ . '/weval-passwords.php';
    
    if (weval_verify_password($user, $pass)) {
        $_SESSION['weval_auth'] = true;
        $_SESSION['weval_authenticated'] = true;  // V95 unified: also set key for /auth/check
        $_SESSION['weval_user'] = $user;
        $_SESSION['weval_time'] = time();
        // V95 unified: set HMAC remember-me cookie for /auth/weval-auth.php
        $_AUTH_SECRET = 'W3v4l_Auth_S1mpl3_2026_X9K';
        $_exp = time() + (30 * 86400);
        $_sig = hash_hmac('sha256', $user . $_exp, $_AUTH_SECRET);
        $_cookie_data = base64_encode(json_encode(['user' => $user, 'sig' => $_sig, 'exp' => $_exp]));
        setcookie('weval_session', $_cookie_data, $_exp, '/', '.weval-consulting.com', true, true);
        $redir = $_POST["redirect"] ?? "/products/workspace.html";
        echo json_encode(["ok"=>true,"user"=>$user,"redirect"=>$redir]);
    } else {
        http_response_code(401);
        echo json_encode(["ok"=>false,"error"=>"Identifiants incorrects"]);
    }
    exit;
}

if ($action === 'logout') {
    $_SESSION = [];
    if (ini_get("session.use_cookies")) {
        $p = session_get_cookie_params();
        setcookie(session_name(), '', time()-42000, $p["path"], $p["domain"], $p["secure"], $p["httponly"]);
    }
    session_destroy();
    echo json_encode(["ok"=>true]);
    exit;
}

if ($action === 'check') {
    if (!empty($_SESSION['weval_auth']) && $_SESSION['weval_auth'] === true) {
        echo json_encode(["ok"=>true,"user"=>$_SESSION['weval_user'] ?? '']);
    } else {
        http_response_code(401);
        echo json_encode(["ok"=>false]);
    }
    exit;
}

if ($action === 'status') {
    echo json_encode([
        "ok"=>true,
        "authenticated"=>!empty($_SESSION['weval_auth']),
        "user"=>$_SESSION['weval_user'] ?? null,
        "session_age"=>!empty($_SESSION['weval_time']) ? time()-$_SESSION['weval_time'] : null,
        "server"=>"S204",
        "version"=>"2.1"
    ]);
    exit;
}

if ($action === '') {
    header('Location: /api/weval-auth-session.php?action=status');
    exit;
}

echo json_encode(["ok"=>false,"error"=>"Unknown action. Use: check, status, login, logout"]);